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Description 

BACKGROUND OF THE INVENTION 

1. Field of the Invention 

[0001] The present invention relates generally to the 
field of scrambling systems and more specifically, to an 
external security module for a television signal decoder 
of a broadcast, satellite, or cable television transmission 
system. The present invention has particular application 
for B-type Multiplexed Analog Component (B-MAC) sat- 
ellite transmission, but may also be used for NTSC (Na- 
tional Television Standards Committee), PAL, SECAM, 
or proposed high definition television formats. In addi- 
tion, the scrambling system of the present invention can 
be used in applications in related fields such as elec- 
tronic banking networks, telephone switching systems, 
cellular telephone networks, computer networks, etc. 
The system has particular application to so-called "con- 
ditional-access" multichannel television systems, where 
the viewer may have access to several "basic" chan- 
nels, one or more "premium" or extra-cost channels as 
well as "pay-per-view" programs. 

2. Description of the Relevant Art 

[0002] In a pay television system, a pay television 
service provider typically protects the signal from unau- 
thorized subscribers and pirates through scrambling. 
[0003] For the purposes of the following discussion 
and this invention, the term "subscriber" means one who 
is paying for the television service. The "subscriber" 
could thus be an individual consumer with a decoder in 
his own home, or could be a system operator such as a 
local cable TV operator, or a small network operator 
such as a Hotel/Motel operator with a central decoder 
for all televisions in the Hotel or Motel. In addition, the 
"subscriber" could be an industrial user, as described in 
U.S. Patent 4,866,770 assigned to the same assignee 
as the present application. 

[0004] For the purposes of this invention, a network 
is defined as a program source, (such as a pay television 
provider), an encoder, (sometimes called a "head end"), 
a transmission means (satellite, cable, radio wave, etc.) 
and a series of decoders used by the subscribers as de- 
scribed above. A system is defined as a program 
source, an encoder, a transmission means, and a single 
receiving decoder. The system model is used to de- 
scribe how an individual decoder in a network interacts 
with the encoder. 

[0005] The scrambling process is accomplished via a 
key which may itself be encrypted. Each subscriber 
wishing to receive the signal is provided with a decoder 
having an identification number which is unique to the 
decoder. The decoder may be individually authorized 
with a key to descramble the scrambled signal, provided 
appropriate payments are made for service. Authoriza- 



tion is accomplished by distributing descrambling algo- 
rithms which work in combination with the key (and other 
information) to paying subscribers, and by denying that 
information to non-subscribers and to all would-be pi- 
s rates. 

[0006] The key may be transmitted as a data signal 
embedded in the normal television transmission asso- 
ciated with the identification number of the decoder. In 
a typical television signal, there are so-called "vertical 

io blanking intervals" (VBI) occurring in each field and "hor- 
izontal blanking intervals" (HBI) occurring in each line 
between the chrominance and luminance signals. Vari- 
ous other signals can be sent "in-band" in the vertical 
and horizontal blanking intervals including additional au- 

is dio channels, data, and teletext messages. The key can 
be embedded in these "blanking intervals" as is well 
known in the art. Attention is drawn to U.S. Patent No. 
4,829,569 assigned to the same assignee as the 
present application, showing how such data can be em- 

20 bedded in a B-MAC signal. Alternatively, the key may 
be sent "out-of-band" over a separate data channel or 
even over a telephone line. 

[0007] Maintaining security in a conditional-access 
television network depends on the following require- 
25 ments: 

(i) The signal scrambling techniques must be suffi- 
ciently complex to insure that direct encryptograph- 
ic attack is not practical. 
30 (ii) keys distributed to an authorized decoder cannot 
be read out and transferred to other decoders. 

[0008] The first condition can be satisfied by practical 
scrambling algorithms now available such as the DES 

35 (Data Encryption Standard) or related algorithms. 

[0009] The second condition requires the physical se- 
curity of certain devices within the television signal de- 
coder and is much more difficult to satisfy. Such a device 
must prevent observation of both the key decryption 

40 process and the partially decrypted key signals. 

[0010] Figure 1 shows a prior art conditional-access 
system for satellite transmission. In encoder 101, the 
source program information 102 which comprises video 
signals, audio signals, and data is scrambled in program 

45 scrambler 103 using a key from key memory 104. The 
scrambling techniques used may be any such tech- 
niques which are well known in the art. The key can be 
a signal or code number used in the scrambling process 
which is also required to "unlock" or descramble the pro- 

50 gram in program descrambler 108 in decoder 106. In 
practice, one key can be used (single layer encryption) 
or more than one key (not shown). The key is usually 
changed with time (i.e. - monthly) to discourage piracy. 
The scrambled programs and the key are transmitted 

55 through satellite link 105, and received by conditional- 
access decoder 106. Decoder 106 recovers the key 
from the received signal, stores it in key memory 107 
and applies it to program descrambler 108 which de- 
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scrambles the scrambled program received over satel- 
lite link 105, and outputs unscrambled program 109. The 
"syslem is hot totally secure, as the key is transmitted in 
the clear through the channel and is available for recov- 
ery by pirates. 

[001 1] To overcome this difficulty and referring to prior 
art Figure 2, a method of protecting the key during dis- 
tribution is introduced into the system of Figure 1. Prior 
to transmission, the key used to scramble source pro- 
gram 202 in program scrambler 203 is recovered from 
key memory 204 and itself encrypted in key encryptor 
210 using a secret serial number (SSN) from secret se- 
rial number database 211 which contains a list of the 
secret serial numbers of all legitimate subscribers. 
These secret serial numbers may relate to the unique 
identification numbers mentioned above for each de- 
coder of a network of such decoders. The source pro- 
gram has now been scrambled using the key, and the 
key itself has been encrypted using a secret serial 
number. Thus, the key is not subject to compromise or 
recovery during transmission in comparison with the 
system of Figure 1 . In order to descramble the program, 
the pirate must first obtain the secret serial number of a 
legitimate decoder, match it with the appropriately en- 
crypted key, decrypt the key, and then descramble the 
program. The secret serial number is installed in decod- 
er 206, for example, during manufacture in SSN mem- 
ory 212 resident in decoder 206. The secret serial 
number is therefore unavailable to pirates provided that 
decoder 206 remains physically secure. 
[0012] Each secret serial number is unique to an in- 
dividual decoder or, at least, unique to a group of de- 
coders in order to be reasonably secure. The encrypted 
key may therefore be transmitted to each decoder indi- 
vidually by cycling through a database 211, containing 
all the secret serial numbers of the network in encoder 
201 and forming a separate key distribution message in 
an addressed data packet individually addressed to 
each authorized decoder in the network. An individual 
decoder recognizes when its encrypted key has been 
received by reading the key distribution message at- 
tached to the encrypted key. 

[0013] In known B-MAC systems, the key is distribut- 
ed in an addressed data packet individually addressed 
to a particular subscriber's decoder by means of its 
unique identification number. The addressed data pack- 
et is typically inserted in lines 4 through 8 of the vertical 
blanking interval. Each addressed data packet is typi- 
cally addressed to one individual decoder. As there are 
sixty fields generated per second (30 frames of 2 inter- 
laced fields each) in a B-MAC or NTSC television signal, 
at the rate of one addressed data packet per field, a pos- 
sible sixty different decoders (or groups of decoders) 
can be addressed each second, or 3600 per minute, 
21 5,000 per hour, and over 5 million per day. Since each 
decoder need only be addressed when the service level 
or encryption level changes, there are sufficient frames 
available to individually address each decoder even in 



large systems. The address rate of the decoders may 
be increased by transmitting more than one addressed 
data packet per field.' Additional data packets may be 
inserted in the vertical blanking interval or in the hori- 

5 zontal blanking intervals of each frame. The total 
number of possible addressable decoders is a function 
of the number on data bits available for decoder ad- 
dresses. The B-MAC format typically uses 28 bits for 
decoder addresses, allowing for over 268 million possi- 

io ble decoder addresses. Attention is drawn to the United 
States Advanced Television Systems Committee Re- 
port T2/62, "MULTIPLEXED ANALOG COMPONENT 
TELEVISION BROADCAST SYSTEM PARAMETER 
SPECIFICATIONS", which describes the data format in 

is a B-MAC signal. 

[001 4] After receiving the addressed data packet, key 
decryptor 213 then decrypts the key using the secret se- 
rial number stored in SSN memory 21 2. If service to any 
decoder 206 in the network is to be terminated, the se- 

20 cret serial number for that decoder is simply deleted 
from SSN database 211, and decoder 206 is deauthor- 
ized at the beginning of the next key period. 
[001 5] In a decoder such as the one shown in Figure 
2, the pay television provider has to rely on the physical 

25 security of the decoder box itself to prevent a pirate from 
reading or modifying the secret serial number and key 
memories in the decoder or observing the key decryp- 
tion process. In order to provide the necessary physical 
security, decoder boxes can be equipped with tamper- 

30 proof seals, specially headed screws and fasteners, or 
other tarn per resistant packaging to make physical com- 
promise of the decoder difficult. The subscriber Is aware 
that tampering with the decoder could alter the tamper- 
proof seals or damage the decoder and subsequent ex- 

35 ami nation could lead to discovery. 

[001 6] There are several disadvantages of relying on 
the physical security of the decoder to maintain system 
security. First, the pay television provider has to main- 
tain ownership and control over all of the decoders of 

40 the network and then rent or lease the decoders to sub- 
scribers. The pay television provider is thus responsible 
for maintenance of ail decoders and must maintain an 
expensive parts inventory and maintenance staff. In ad- 
dition, in order to initiate service, a serviceperson must 

45 make a personal visit to the subscriber's location to in- 
stall the decoder. In a pay television satellite system, 
such installation and service calls could be quite costly 
for remote installations which could be located any- 
where in the world. Further, the physical security of a 

so decoder could be breached without fear of discovery if 
a pirate could obtain a decoder that had been stolen ei- 
ther during the distribution process or from an individual 
subscriber's home. 

[0017] Hence, the system of Figure 2 can be secure 
55 only under the following conditions: 

(i) It must be impossible to read or modify the SSN 
and key memories in the decoder. 
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(ii) It must be impossible to observe the key decryp- 
tion process, or the links between the four elements 
(207, 208, 212, and 213) of the decoder. 

[0018] One way to achieve both of these goals is by 
the use of a so-called "secure microprocessor". 
[001 9] Figure 3 shows a block diagram of a typical pri- 
or art microprocessor 320 with processor 321, program 
memory 322, memory address bus 328, memory data 
326 and memory data bus 327. In such a device, input 
data 323 is processed according to a program stored in 
program memory 322, producing output data 324. Pro- 
gram memory 322 can be "read out" through memory 
data bus 327. That is, the memory can be stepped 
through. by sequentially incrementing memory address 
325 through memory address bus 328 into program 
memory 322. Output memory data 326 from memory da- 
ta bus 327 will reveal the entire program contents of mi- 
croprocessor 320, including any stored descrambling al- 
gorithm and secret serial number. With such data, a pi- 
rate can easily decrypt a key transmitted through satel- 
lite link 205 of Figure 2. 

[0020] Figure 4 shows a block diagram of an ideal se- 
cure microprocessor 420 adapted for securing an algo- 
rithm and secret serial number according to one aspect 
of the present invention. The major difference between 
secure microprocessor 420 of Figure 4 and microproc- 
essor 320 of Figure 3 is that both memory address bus 
328 and memory data bus 327 are absent, so there is 
no way to step through program memory 422 for the pur- 
pose of reading or writing. Memory references are exe- 
cuted only by processor 421 according to its mask-pro- 
grammed code which cannot be changed. All input data 

423 is treated as data for processing, and all output data 

424 is the result of processing input data 423. There is 
no mechanism for reading or modifying the contents of 
program memory 422 via the data inputs. 

[0021] Modern devices are a close approximation to 
this ideal secure microprocessor. There is, however, 
one requirement which causes a variation from the ide- 
al. Following manufacture, there must be a mechanism 
available to write into memory 422 the decoder specific 
secret serial number 430, as well as decryption algo- 
rithm 434. If this facility were available to a pirate, he 
could modify the secret serial number for the purpose 
of cloning. Therefore, this facility must be permanently 
disabled after the secret serial number has been en- 
tered. 

[0022] A variety of techniques may be used to disable 
the facility for writing into the memory. Secure micro- 
processor 420 could be provided with on-chip fusible da- 
ta links 431, a software lock, or similar means for ena- 
bling the secret serial number 430 and descrambling al- 
gorithm 434 to be loaded into memory 422 at manufac- 
ture. Then, for example, the fusible links shown in 
dashed lines are destroyed so that a pirate has no ac- 
cess to descrambling algorithm 434 or secret serial 
number 430 stored in program memory 422. 



[0023] In an alternative embodiment, the microproc- 
essor of Figure 4 can be secured with an "E 2 bit." The 
"E 2 bit", a form of software lock, will cause the entire 
memory (typically EEPROM) to be erased if an attempt 
s is made to read out the contents of the memory. The "E 2 
bit" provides two advantages; first, the memory is se- 
cured from would-be pirates, and second, the memory 
erasure will indicate that tampering has occurred. 
[0024] A pirate would have to have access to exten- 
sive micro-chip facilities and a significant budget to com- 
promise such a secure micro-processor. The physical 
security of the processor would have to be breached, 
destroying the processor and contents. However, inte- 
grated circuit technology continuously improves, and 
unexpected developments could occur which might en- 
able attacks to be made at the microscopic level which 
are more economic than those available today. Further, 
the worldwide market for pirate decoders for satellite 
transmissions would provide the economic incentive to 
the increasingly sophisticated pirate electronics industry 
to compromise such a unit. 

[0025] Copying a single decoder comprising a micro- 
processor according to Figure 4 could lead to decoder 
clones based on the single secret serial number in that 
single decoder. Discovery would result in the termina- 
tion of that secret serial number, and thus termination of 
all of the clones. However, a pirate would also have the 
option of using the single compromised unit to recover 
the key. The pirate could then develop a decoder design 
which would accept the key as a direct input. These pi- 
rate units could then be illegally distributed to subscrib- 
ers, who would pay the pirate for a monthly update of 
the key. The consequence of a security breach could 
become extremely damaging to the pay television pro- 
vider. 

[0026] Pay television providers are therefore at risk if 
security depends exclusively on the physical defenses 
of the secure microprocessor. Figure 5 shows a device 
which attempts to overcome the disadvantages of the 
devices of Figures 1 and 2 by providing a security device 
in a replaceable security module 514. Replaceable se- 
curity module 514 comprises key decryptor 513, secret 
serial number memory 512 and key memory 507. As in 
Figure 2, encoder 501 scrambles source program 502 
comprising video signals, audio signals and data in pro- 
gram scrambler 503 using a key from key memory 504. 
The key is encrypted in key encryptor 51 0 using a secret 
serial number (SSN) from secret serial number data- 
base 511 which contains a list of the secret serial num- 
bers of all legitimate subscribers. 
[0027] The same SSN is installed in secret serial 
number memory 512 in replaceable security module 
514 which is removably attachable to decoder 506. Key 
decryptor 513 of replaceable security module 514 de- 
crypts the key using the secret serial number stored in 
secret serial number memory 512. The decrypted key 
is then stored in key memory 507. Unlike Figure 2, the 
entire replaceable security module is removably at- 
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tached to decoder 506. Program desc rambler 508 reads 
the decrypted key from key memory 507 in replaceable 
security module 514 and uses the key to descramble 
and output descrambled program 509. Removable se- 
curity module 514 is designed to be replaced by the sub- 
scriber, preferably without any special tools and, thus, 
most conventionally may comprise a plug-in module. 
[0028] The use of a plug-in module gives the pay tel- 
evision provider the ability to upgrade the technology in 
the security device by swapping it out at very low cost. 
In the event of a security breach, a new replaceable se- 
curity module containing the program scrambling algo- 
rithm and SSN could be mailed out to authorized sub- 
scribers. The authorized subscribers could then remove 
the old replaceable security module from their decoder 
and insert the new replaceable security module them- 
selves. System security is thus recovered without the 
expense of replacing the entire decoder or the expense 
of sending a service person to replace the replaceable 
security modules in each decoder. In addition, it is not 
necessary for the pay television provider to own the de- 
coder itself: The decoder can be a generic commercially 
available unit purchased by the subscriber, or even in- 
tegrated into the television itself. To initiate service, the 
pay television provider need only mail the replaceable 
security module to the subscriber and no service call is 
necessary. 

[0029] Although the replaceable security module has 
the advantages of providing a guarantee that network 
security is recoverable following a breach, it also has 
some disadvantages. All the security resides in replace- 
able security module 514, and decoder 506 itself is a 
generic unit. The key signal which is generated by re- 
placeable security module 51 4 is observable at its trans- 
fer point to decoder 506. The key can, however, be 
changed sufficiently often to ensure that it has no value 
to a potential pirate. 

[0030] The problem with this approach is that a given 
removable security module 51 4 will operate with any de- 
coder 506, and that tampering with replaceable security 
module 514 does not involve damage to decoder 506. 
Consequently, if replaceable security module 514 were 
to be compromised, piracy would become widespread 
very rapidly. 

[0031] Although the devices as described above 
show a single key to scramble the program signal (so- 
called "single layer encryption") any of the prior art de- 
vices could also be practiced using a multiple key ("two 
layer", "three layer", etc.) scrambling system. Figure 6 
shows an exam-pie of a prior art two layer encryption 
encoder 601. Encoder 601 contains secret serial 
number database 611 which contains a list of secret se- 
rial numbers for all authorized subscribers. Key memory 
604 stores the "Key of the Month" (KOM) which in this 
embodiment can be either an "even" key for even 
months (February, April, June, etc.) or an "odd" key for 
odd months (January, March, May, etc.). The key could 
also be different for each month of the year, or could be 



made even more unique, depending on the available da- 
ta bits for such a key. In addition, the key could be 
changed more frequently or less frequently than the 
monthly basis shown here. 

5 [0032] Key encryptor 610 encrypts the key selected 
from key memory 604 and outputs a series of encrypted 
keys E SSN [KOM] each encrypted with a secret serial 
number from secret serial number database 61 1 , to data 
multiplexor 635. Seed memory 636 contains a "seed" 

10 which is used for scrambling the audio and video sig- 
nals. The "seed" can also be a data code or a signal 
similar to the key described above. Seed encryptor 637 
encrypts the seed with the key of the month and outputs 
the encrypted seed E KOM [SEED] to data multiplexor 

*5 635. Thus the key has been encrypted with the secret 
serial number, and the seed encrypted with the key. Nei- 
ther the key nor the seed can be easily recovered during 
transmission. 

[0033] In this embodiment, source program 602 com- 
20 prises a Multiplexed Analog Video (MAC) signal 639 
with the typical chrominance and luminance signals de- 
scribed previously, along with multiplexed audio data 

638 which may comprise several different audio and 
non-audio (data) signals. For example, there may be at 

25 least two channels of audio (stereo) and additional 
channels of teletext for the hearing impaired. In addition, 
there may be additional channels of audio related to the 
video signal such as foreign language translations, un- 
related audio signals such as radio programs or data 

30 signals such as subscriber messages, computer data, 
etc. All of these signals are digitized and multiplexed to- 
gether, as is well known in the art, and the resulting mul- 
tiplexed audio data 638 is then ready to be scrambled. 
[0034] The seed passes through pseudo-random bit 

35 sequencer (PRBS) 643 and then is added to mu Itiplexed 
audio data 638 in adder 644. Together, pseudo- random 
bit sequencer (PRBS) 643 and adder 644 comprise a 
bit-by-bit encryptor 645 as is well known in the art. The 
resulting scrambled multiplexed audio data is then 

40 passed to data multiplexor 635 and is. multiplexed with 
the encrypted seed and key. 

[0035] MAC video signal 639 is scrambled in line 
translation scrambler 603 which scrambles the lines of 
the MAC signal using the "seed" from seed memory 636 

45 for the scrambling algorithm. The resulting scrambled 
MAC signal is then sent to multiplexor 632 which multi- 
plexes the scrambled MAC signal with the output from 
data multiplexor 635. The multiplexed data output of da- 
ta multiplexer 635 is modulated into pulse amplitude 

so modulation (PAM) format by P.A.M. modulator 645. The 
output B-MAC signal 646 contains MAC video signal 

639 and multiplexed PAM audio data 638, both scram- 
bled with the seed, along with the seed encrypted with 
the key of the month, and a series of keys of the month 

55 which have been encrypted with the secret serial num- 
bers of the subscriber's decoders, all multiplexed to- 
gether. 

[0036] In order to descramble the B-MAC signal 646, 
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a pirate must be able to decrypt one of the encrypted 
keys, and use that key to decrypt the seed. However, as 
in the single layer encryption device described in Figure 
2, the pirate only needs to compromise one of the de- 
coders in order to obtain a secret serial number, and 
thus decrypt the key. With the key, a pirate can then de- 
crypt the seed, and with the seed, descramble the pro- 
gram signal. Additional "layers" of encryption (i.e. - more 
seeds and keys) make pirating more cumbersome, as 
the pirate must decrypt more seeds and keys, however, 
once the first key has been decrypted, the subsequent 
keys and seeds can be decrypted as well. In embodi- 
ment shown in Figure 6, keys need be every other month 
(even months and odd months) for the pirate to be able 
to descramble the program signal all year. The secret 
serial numbers, seed, and key, as used in Figure 6, can 
be used effectively by the pay television provider to ter- 
minate a particular decoder by secret serial number and 
generally discourage piracy by amateurs. However, 
while this system has not yet been compromised, a de- 
termined pirate may comprise such a multi-layered en- 
cryption system with the aid of a compromised decoder, 
the heart of such piracy being the gaining of access to 
a secret serial number. 

[0037] EP0343805 discloses a decoder which de- 
crypts a once-encrypted key in order to generate a work- 
ing key which is used for descrambling a program signal. 
WO8606240 discloses a decoder with a removable 
plastic card comprising electronic circuitry. Decryption 
of a key is only possible when the card is connected to 
the decoder. The combined decoding logic in the decod- 
er and the card operates so that the received signal is 
decoded and unscrambled. US4663664 discloses a re- 
movable electronic ticket for descrambling a transmitted 
video program. At least a portion of a descrambling cir- 
cuit is formed on a substrate. 

[0038] in view of the deficiencies of the above prior 
art devices, it still remains a requirement in the art to 
provide a scrambling system for pay television systems 
which does not rely solely on the physical security of the 
decoder components to maintain system integrity. 

Summary of the invention 

[0039] The invention in its various aspects is defined 
in the claims to which reference should now be made. 
Preferred features are laid out in the sub-claims. 
[0040] The present invention preferably provides a 
decoder with the features of appended claims 1 and 7 
and a decoding method having the features of append- 
ed claims 13 and 19. 

[0041] Many of the above -stated problems and relat- 
ed problems of the prior art encryption devices have 
been solved by the principles of the present invention. 
The double-encryption technique discourages copying 
the replaceable security module, as each replaceable 
security module will work only with its mating decoder. 
The system also allows the replaceable security module 



to be replaced following a system breach, thus allowing 
for recovery of system security 

[0042] The system comprises an encoder for encod- 
ing a signal, the encoder further comprising a signal 

5 scrambler and a first and second key encrypters. The 
signal scrambler scrambles the signal and outputs a 
scrambled signal and a key for descrambling the scram- 
bled signal. The first key encryptor is coupled to the sig- 
nal scrambler and performs a first encyrption on the key 

io using a first secret serial number and outputs a once- 
encrypted key. The second key encryptor is coupled to 
the first key encryptor and performs a further encryption 
on the once-encrypted key using a second secret serial 
number and outputs a twice-encrypted key. 

15 [0043] The system further comprises a transmitter 
coupled to the signal scrambler and the second key en- 
cryptor for transmitting the scrambled signal and twice- 
encrypted key. 

[0044] The system further comprises a decoder cou- 

20 pied to the transmitter for receiving and descrambling 
the scrambled signal. The decoder comprises first and 
second key decryptors and a descrambler. The first key 
decryptor is coupled to the transmitter and performs a 
first key decryption on the twice-encrypted key using the 

25 second secret serial number and outputs a partially de- 
crypted key. The second key decryptor is coupled to the 
first key decryptor and perform a second key decryption 
on the partially decrypted key using the first secret serial 
number and outputs the decrypted key. The descram- 

30 bier is coupled to the second key decryptor and the 
transmitter and descrambles the scrambled signal using 
the decrypted key and outputs the descrambled signal. 
[0045] In an alternative embodiment of the present in- 
vention, the decoder may function without the use of a 

35 replaceable security module. In the event of a system 
breach or a service level change, a replaceable security 
module may then be inserted into the decoder to" "up- 
grade " the decoder. 

[0046] These and other objects and advantages of the 
40 invention, as well as the details of an illustrative embod- 
iment, will be more fully understood from the following 
specification and drawings in which similar elements in 
different figures are assigned the same last two digits to 
their reference numeral (i.e., encoder 701 of Figure 7 
45 and encoder 8 CM of Figure 8). 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0047] FIG. 1 shows an example of a prior art condi- 
so tional-access system for satellite transmission with a 
key signal sent in the clear to the decoder. 
[0048] FIG. 2 shows an example of a prior art condi- 
tional-access system for satellite transmission using a 
single key encryption technique. 
55 [0049] FIG. 3 shows an example of a prior art micro- 
processor without a secure memory. 
[0050] FIG. 4 shows a secure microprocessor with a 
secure memory and fusible data links adapted for stor- 
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ing an algorithm and secret serial number according to 
the present invention. 

[0051] FIG. 5 shows an example of a conditional-ac- 
cess system for satellite transmission with a replaceable 
security module containing a first secret serial number. 5 
[0052] FIG. 6 shows another prior art conditional-ac- 
cess system for satellite transmission using an addition- 
al layer of encryption, 

[0053] FIG. 7 shows one exemplary embodiment of 
the conditional-access system of the present invention 
with an encoder encrypting the key with both a first and 
second secret serial number, a satellite transmission 
system, and a decoder containing a first secret serial 
number and a replaceable security module containing 
a second secret serial number. 

[0054] FIG. 8 shown another embodiment of the en- 
cryption system of the present invention including a mul- 
tiplexor and demultiplexer for multiplexing the twice en- 
crypted key with the scrambled program signal prior to 
transmission, and demultiplexing the twice encrypted 
key from the scrambled program signal after reception. 
[0055] FIG. 9 shows an alternative embodiment of the 
device of FIG. 7 incorporating a telephone controller for 
bi-directional telephone control for pay-per-view access 
or key transmission. 

[0056] FIG. 10 shows a block diagram of an alterna- 
tive embodiment of the device of Figure 9, showing in 
detail how signals are passed between the decoder and 
the replaceable security module. 

[0057] FIG. 11 shows another embodiment of the de- 
vice of FIG. 10 with the telephone controller, but without 
a replaceable security module. 

DETAILED DESCRIPTION OF THE PREFERRED 
EMBODIMENT 

[0058] Figure 7 shows the encryption system of the 
present invention comprising an encoder 701 for encod- 
ing a source program 702 for transmission over a satel- 
lite link 705 to a decoder 706. According to Figure 7, the 
key is encrypted and addressed to individual decoders, 
similar to the device in Figure 5. However, in this case, 
the key is encrypted not once, but twice and must also 
be decrypted twice in the decoder. The first decryption 
takes place in a replaceable security module 714 which 
is mounted on the exterior of the decoder 706, for ex- 
ample, as a plug-in module. The second decryption 
takes place in a fixed security element 719 which is an 
integral part of the decoder 706. Both decryptions must 
take place properly for the decoder to receive the key. 
[0059] The encoder 701 has a key memory 704 con- 
taining the key used to scramble program 702 in pro- 
gram scrambler 703. The key is first encrypted in first 
key encryptor 710 with a first secret serial number 
(SSN 0 ) stored in SSN 0 database 711. The key is further 
encrypted in second key encryptor 715 with a second 
secret serial number (SSNt) from SSN-, database 716. 
This produces a series of twice-encrypted keys which 



are then transmitted along with the scrambled program 
via satellite link 705. The decoder 706 receives the en- 
crypted program and one of the twice-encrypted keys 
and performs a first key decryption in replaceable secu- 
rity module 714. The replaceable security module 714 
contains a second secret serial number (SSNt), which 
could be assigned to a particular security module or se- 
ries of modules, in SS^ memory 717. The replaceable 
security module 714 performs a first key decryption in 
first key decry ptor 718 and outputs a partially decrypted 
key. The partially decrypted key, still unreadable to a pi- 
rate, is sent to second key decry ptor 713 located in de- 
coder 706 itself. There, the key is fully decrypted using 
the first secret serial number stored in SSN 0 memory 
712. The fully decrypted key is now stored in key mem- 
ory 707 and usedtodescramble the scrambled program 
received from satellite link 705 in program descrambler 
708 and output descrambled program 709. 
[0060] Both replaceable security module 714 and an 
internal security element 719 of decoder 706 may be 
constructed according to the principles of Figure 4. For 
example, the second secret serial number SSN-, may 
be loaded into SSN., memory 717 of Module 714 and 
fusible links used for loading the memory destroyed dur- 
ing manufacture. Similarly, SSN 0 memory 712 of inter- 
nal security element 719 may be loaded during manu- 
facture over a fusible link and the link destroyed. Also 
over a fusible link, algorithms may be loaded into key 
decryptors 718, 713 during manufacture and the fusible 
links subsequently destroyed 

[0061] The effect of twice -encrypting the key is to en- 
sure that replaceable security module 714 must corre- 
spond to a particular decoder 706 and will not operate 
with any other decoder. Loss of replaceable security 
module 714 during distribution no longer presents a po- 
tential security breach. To compromise the system, it is 
now necessary to break the physical security of both re- 
placeable security module 714 and internal security el- 
ement 71 9. In order to fully compromise the system, the 
internal security element 719 must be . attacked, restor- 
ing the risk to the subscriber that his decoder will be 
damaged. 

[0062] At the same time, the replaceable security 
module provides the pay television provider with the op- 
tion of replacing system security by mailing out new re- 
placeable security modules to all authorized subscrib- 
ers. Returned replaceable security modules 714 could 
be re-used for a different subscriber decoder by repro- 
gramming the SSN 0 and SSN 1 databases 711 and 716 
to correspond to the combination of the first secret serial 
number of decoder 706 with the second secret serial 
number of security module 714. Alternatively, the re- 
turned replaceable security modules 714 could be de- 
stroyed, and a new replaceable security module 714 
sent out, incorporating changes and improvements in 
the security technology to thwart potential pirates. In the 
event of a security breach, it is only necessary to replace 
the replaceable security module and not the complete 
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decoder in order to restore system security. 
[0063] Alternatively, the decoder 706 may function 
optionally without the use of the replaceable security 
module 717. In such a system, encoder 701 may be pro- 
grammed to perform single level key encryption by en- s 
crypting the key from key memory 704 once in second 
key encryptor 715, bypassing first key encryptor 710. 
Decoder 706 would sense the absence of removable se- 
curity module 71 7 and perform only a single key decryp- 
tion in second key decryptor 713. 
[0064] If a system breach occurs, the pay television 
provider then mails out replaceable security modules to 
subscribers, uses the double encryption technique, and 
thus recovers system security. The optional usage of the 
replaceable security module has other attractive bene- 
fits as well. Subscribers who do not pay for any premium 
channels may not be sent a replaceable security mod- 
ule, as the "basic" channels may only use a once-en- 
crypted key or may even be sent in the clear. If the sub- 
scriber wishes to upgrade to a premium channel or 
channels, the pay television provider may then mail that 
subscriber the appropriate replaceable security module. 
[0065] In addition, the replaceable security module 
may be used to add other additional features. Many ca- 
ble television systems offer optional services such as 
IPPV (Impulse-Pay-Per-View) which require two-way 
communication between the decoder 706 and the head 
end. In the past, if a subscriber wished to upgrade to 
IPPV service, a subscriber's decoder would haye to be 
altered by inserting a IPPV module internally or by add- 
ing an IPPV "side car" externally. Alternatively, the entire 
decoder would have to be replaced. All three options 
would necessitate a service call, causing inconvenience 
to the subscriber, and expense to the pay television pro- 
vider. Similarly, when a pay television provider wishes 
to upgrade its entire encoder/decoder system , it must 
provide a new decoder to each subscriber which will 
work in the interim with both the old and new encoding 
techniques, as it is nearly impossible to replace all sub- 
scriber decoders simultaneously. Thus a decoder man- 
ufacturer is faced with the added expense of providing 
his state-of-the-art decoder with extra circuitry in order 
to function with the pay television provider's old encoder 
for the few months during the change over period. 
[0066] In both the above instances, the replaceable 
security module 714 may be used to upgrade the de- 
coder 706 without the expense and inconvenience of a 
service call. The replaceable security module 714 may 
be mailed to the subscriber and the subscriber can then 
insert the replaceable security module 714 and instantly 
upgrade the decoder and add additional features (such 
as IPPV), alter the encoding technique, or providing an 
external level of security. 

[0067] The replaceable security module 714 may take 
one of several forms. In the preferred embodiment, the 
module may comprise a "smart card", a plastic "credit 
card" with a built-in micro-processor, such as described 
by the International Standards Organization in standard 



ISO 7816/1 and IS07816/2. Attention is drawn on U.S. 
Patent No. 4,841,133 issued June 20, 1989, describing 
such a "smart card." The "smart card" may be equipped 
with a series of electrical contacts which connect to con- 
tacts in the decoder 706. The contacts may provide pow- 
er to the card, along with clock signals and data trans- 
mission. 

[0068] Figure 8 shows another embodiment of the 
present invention wherein the key is twice encrypted 
and addressed to individual decoders, similar to the de- 
vice in Figure 7. The encoder 801 has a key memory 
804 containing the key used to scramble program 802 
in program scrambler 803. The key is first encrypted in 
first key encryptor 810 with the first secret serial number 
(SSN 0 ) stored in SSN 0 database 811 . The key is further 
encrypted in second key encryptor 815 with a second 
secret serial number (SSN^ from SSIS^ database 816, 
producing a series of twice-encrypted keys as in Figure 
7. However, in this embodiment, the twice encrypted 
keys are then multiplexed into the scrambled program 
in multiplexor 832 and transmitted via satellite link 805. 
[0069] The decoder 806 receives the encrypted pro- 
gram and demultiplexes the twice encrypted keys from 
the scrambled program signal in demultiplexer 833. The 
decoder 806 then chooses the proper twice encrypted 
key based on the key message associated with the 
proper key for that decoder, and performs a first key de- 
cryption in replaceable security module 814. The par- 
tially decrypted key is then sent to second key decryptor 
813 located in the decoder 806 itself. There, the key is 
fully decrypted using the unique first secret serial 
number stored in SSN 0 memory 812. The fully decrypt- 
ed key is now stored in key memory 807 and used to 
decrypt the program in the program desc rambler 808 
and output the decrypted program 809. The second key 
decryptor 81 3, key memory 807, and SSN 0 memory 81 2 
together comprise fixed internal security element §19. 
[0070] Figure 9 shows an alternative embodiment of 
the present invention with a telephone controller. De- 
coder 906 is similar to the decoder 706 of Figure 7, ex- 
cept that decoder 906 of Figure 9 also includes a tele- 
phone controller 940 for receiving or sending an en- 
crypted key or other data. Telephone controller 940 adds 
an additional level of security to the system, as the key 
does not have to be transmitted with the program signal 
over a separate channel as in Figure 7 or multiplexed 
into the signal as in Figure 8. In addition, the telephone 
controller 940 can provide two-way communication with 
the program source for such features as pay-per-view 
(PPV) or impulse pay-per-view (IPPV) programming. 
[0071] Pay-per-view programming is defined here as 
any programming where the subscriber can request au- 
thorization to watch a particular program. In many pay 
television systems, pay-per-view programming is used 
for sporting events (boxing, wrestling, etc.) which are not 
transmitted on a regular basis. A subscriber wishing to 
view the event must receive authorization in the form of 
a special descrambler mechanism, or in the form of a 
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special code transmitted or input to the subscriber's de- 
coder. Some pay-per-view television systems allow the 
subscriber to request a pay-per-view program (i.e. - 
movies) to watch. The pay television provider then 
transmits the requested program and authorizes that s 
subscriber's decoder to receive the signal 
[0072] Impulse pay-per-view (IPPV) programming is 
defined here as any programming where the subscriber 
has a pre-authorized number of "credits" saved in his 
individual decoder. If a subscriber wishes to view a par- 
ticular program, the subscriber merely actuates the de- 
coder, the appropriate number of credits are subtracted 
from the subscriber's remaining credits, and the sub- 
scriber is immediately able to view the program. 
[0073] In a pay-per-view embodiment of the present 
invention, the decoder may send a signal to the head 
end via the telephone controller 940 with a request for 
authorization to decode a pay-per-view program. Alter- 
nately, the decoder 906 may store authorization infor- 
mation (i.e. -credits) for pay-per-view programming, and 
forward actual pay-per-view data via the telephone con- 
troller 940 at a later time. 

[0074] The telephone controller 940 could be a com- 
puter modem type device, or could work using touch- 
tone signals to communicate with the head end. Prefer- 
ably, the telephone controller is a modem type device, 
communicating with the head end using a TSK protocol. 
Attention is drawn to copending application Serial No. 
187,978 filed April 29, 1988 describing TSK operation 
and published as US 4926444 on 1 5 May 1 990. The pay 
television provider can thus send appropriate authoriza- 
tion information (TEL) to the subscriber, encrypted with 
the subscriber's secret telephone number (STN). The 
secret telephone number is not a telephone number in 
the ordinary sense, but rather another type of secret se- 
rial number, which could be assigned to a given tele- 
phone controller 940 or series of telephone controllers. 
Once received by the decoder 906, the authorization in- 
formation may be used to enable descrambling of a par- 
ticular pay-per-view program or programs. 
[0075] In another embodiment, which could be used 
in conjunction with the pay-per-view embodiment de- 
scribed above, the telephone controller can he used to 
receive the key encrypted with the secret telephone 
number. The scrambled program signal 941 is input to 
the decoder 906 which provides the input signal 941 to 
a clock/data recovery unit 942 and the video/audio de- 
scrambler 908. The clock/data recovery unit 942 pro- 
vides sync and data for the program signal fed to the 
fixed security element 919. Fixed security element 919 
contains a key decryptor, key memory and SSN 0 mem- 
ory. The telephone controller 940 receives the key, en- 
crypted with the secret telephone n umber of the decoder 
(STN) stored in the replaceable security module 914. 
The telephone controller 940 typically commences com- 
munication and can be programmed to call the head end 
at a predetermined time or at a predetermined time in- 
terval, or upon receiving a signal from the head end pref- 



erably when phone usage is at a minimum (i.e. - early 
morning hours). The telephone controller can call the 
head end via a toll free 1-800 number, a so-called 
"watts" line, or via a local call to a commercial data link 
such as TYMNET or TELENET. Once the call is con- 
nected and communications established, the decoder 
906 uploads to the head end a record of pay-per-view 
usage encrypted with the secret telephone STN V The 
head end may then download data similarly encrypted 
to the decoder 906 including new keys, secret serial 
numbers, or decryption algorithms. The encrypted key 
may be sent to the fixed security element 919, which 
has removably attached thereto the replaceable securi- 
ty module 914. The key is then decrypted in the replace- 
able security module using the secret telephone 
number, and decoder control information is sent to the 
program descrambler 908 to produce the descrambled 
program 909. 

[0076] As discussed above, a new secret serial 
number or decryption algorithm, encrypted with the se- 
cret telephone number, may be sent from the head end 
to a decoder through telephone controller 940. The en- 
crypted secret serial number or decryption algorithm is 
then decrypted and stored in the replaceable security 
module. This downloading of decryption algorithms and 
secret serial numbers via the telephone controller 940 
is sometimes called an "E 2 patch", and allows the pay 
television provider to maintain or recover system secu- 
rity by loading new information into a decoder's EEP- 
ROM. An E 2 patch does not necessarily entail changing 
the entire decryption algorithm in the decoder 906. The 
secret serial number or merely a portion of the decryp- 
tion algorithm, such as a particular byte or data table 
need only be changed in order to sufficiently alter the 
decryption algorithm. The E 2 patch allows the pay tele- 
vision provider or upgrade the encryption system to fix 
"bugs" and recover system security. 
[0077] After receiving a signal through the telephone 
controller 940, the head end will send an acknowledg- 
ment signal to the decoder, indicating that information 
has been received. Similarly, after data has been down- 
loaded from the head end to the decoder through the 
telephone controller, the decoder will return an acknowl- 
edgment signal to the head end that data has been re- 
ceived. 

[0078] In addition to pay-per-view requests or 
records, telephone controller 940 can also be used to 
upload other signals from the decoder. For example, 
tamper protection information such as described in con- 
nection with Figure 4 can be sent indicating whether or 
not the decoder has been tampered with. Further, pro- 
gram viewing information can be uploaded to the pay 
television provider for television rating purposes (i.e., - 
Nielson ratings) 

[0079] In general, any data that can be delivered via 
the B-MAC input 941 of Figure 9 (or NTSC, PAL, SE- 
CAM, etc.) can also be downloaded through the tele- 
phone controller 940. Such information includes, but is 
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not limited to, blackout codes, tiering information, per- 
sonal messages number of available credits, group 
identification numbers, and other system data. Gener- 
ally, the telephone controller 940 is used for infrequent 
communications, such as periodic security level chang- 5 
es and IPPV requests, due to the limited bandwidth of 
telephone lines and the increased cost of sending infor- 
mation via telephone versus the B-MAC input. 
[0080] The telephone information (TEL) encrypted 
with the secret telephone number (STN) remains en- 
crypted throughout the decoder 906 and may only be 
decrypted in the replaceable security module 914. The 
decrypted telephone information does not pass out of 
the replaceable security module 914, in order to prevent 
observation by a pirate. In order for the decoder 906 to 
descramble a scrambled program, both the telephone 
information and the addressed data packet received 
through the B-MAC input 941 must be present. By rely- 
ing on both information sources, piracy is virtually im- 
possible, as the potential pirate must break into the pay 
television provider's telephone system as well as de- 
crypt the twice-encrypted key. 

[0081] Figure 10 shows a more detailed diagram of 
the device of Figure 9, showing how the various signals 
are sent between the fixed security element 1019 and 
the replaceable security module 1014. In this embodi- 
ment, both the fixed and replaceable security modules 
101 9 and 1014 are built around secure microprocessors 
1050 and 1051 similar to that shown in Figure 4. In Fig- 
ure 10, the subscript D 0 B is used to denote signals and 
keys stored or decrypted in the fixed security element 
1019, while the subscript w 1 n denotes signals and keys 
stored or decrypted in the replaceable security module 
1014. 

[0082] Fixed security element 1019 comprises a se- 
cure microprocessor 1050 which receives signals 1053, 
1054, and 1055 as inputs. Signal 1053 is the program 
(SYS) which has been scrambled with a key-of-the- 
month (KOM) and is represented by the symbol E KOM1 
(SYS). Signal 1054 is the key-of-the-month (KOM) 
which has been twice-encrypted with the two secret se- 
rial numbers (SSN 0 and SSN 1 ) of the fixed and replace- 
able security modules 101 9 and 1014, respectively and 
is represented by the symbol E SSN0 (E SSN1 (KOM1)). 
[0083] Signal 1055 is an additional signal, E STN1 
(TEL), which is the telephone data encrypted with a se- 
cret telephone number (STN) described in Figure 9 
above. The telephone data can be used to provide an 
additional level of security, as well as to allow the sub- 
scriber to request "pay-per-view" programs via the 
phone line as described in Figure 9 above. 
[0084] Secure microprocessor 1050 performs a first 
decryption of twice-encrypted key 1054 using the first 
secret serial number SSN 0 stored within secure micro- 
processor 1050. Secure microprocessor 1050 passes 
partially decrypted key-of-the-month E SSN1 (KOM) 1061 
to replaceable security module 1014 along with scram- 
bled program E KOM1 (SYS) 1062 and encrypted tele- 



phone data E STN1 (TEL) 1060. 

[0085] Replaceable security module 1 01 4 comprises 
secure microprocessor 1051 which has secure memory 
1052 where the second secret serial number SSN-, is 
stored along with the secret telephone number STN 1 , 
the encryption algorithm E, and other authorization in- 
formation. Secure microprocessor 1051 performs a fur- 
ther decryption on partially decrypted key-of-the-month 
E SSN1 (KOM) 1061 received from fixed security element 
1019, using the second secret serial number SSN^ and 
encryption algorithm E stored within secure memory 
1052. The decrypted key-of-the-month (KOM1) is 
stored in the secure memory 1052 of secure microproc- 
essor 1051. As discussed in Figure 4, secure memory 
1052 cannot be directly addressed or read out, and as 
such the second secret serial number SSN^ and the en- 
cryption algorithm E cannot be observed by a potential 
pirate. 

[0086] Secure microprocessor 1051 also decrypts the 
telephone data (TEL) using the secret telephone 
number STN A stored within the secure memory 1052 of 
the secure microprocessor 1051. If the key-of-the- 
month (KOM1) can be decrypted, and authorization is 
present (for pay-per-view), or unnecessary (for other 
channels), then scrambled program E KOM1 (SYS) 1062 
can be descrambled in replaceable security module 
1014, producing decoder control information DCI n 1058. 
Decoder control information DCI., 1058 typically con- 
tains the line translation scrambling information for the 
video signal, and decryption information for the multi- 
plexed audio data along with other information such as 
whether teletext is enabled and which audio channel is 
to be selected. The program control information DC^ 
1 058 and the encrypted telephone data E STm (TEL) are 
sent to the fixed security element 1019. If authorization 
is present (for IPPV) or unnecessary (for other chan- 
nels), the secure microprocessor 1050 outputs the pro- 
gram control data 1058 to the rest of the decoder (not 
shown) for program d esc rambling. On-screen display 
support information (OSD) 1 057 is decoded from the en- 
crypted program signal EKOM t (SYS) and provides in- 
formation how on-screen display is controlled by fixed 
security element 1019 to display personal messages, 
control a barker channel, indicate the number of remain- 
ing credits, indicate authorized channels as well as other 
ways of controlling displayed information. 
[0087] Figure 11 shows a further embodiment of the 
present invention, without replaceable security module. 
In this embodiment, the subscript "0 M has been used to 
denote that all decryptions take place within secure mi- 
croprocessor 1 1 50. Decoder 1 1 06 comprises secure mi- 
croprocessor 1150 with secure memory 1152. Secure 
memory 1 1 52 contains a secret serial number SSN 0 and 
a secret telephone number STN 0 unique to that decoder 
or a series of decoders loaded during manufacture and 
secured with an "E 2 bit" as discussed in connection with 
Figure 4. Scrambled program E KOM0 (SYS) 1153 and 
once-encrypted key-of-the-month E SSN0 (KOM0) 1154 
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are input to decoder 1106 along with encrypted tele- 
phone data E STN0 (TEL) 1155. 

[0088] Secure microprocessor 1150 decrypts en- 
crypted telephone data E STN0 (TEL) 1155 using the se- 
cret telephone number STN 0 stored in secure memory 
1 1 52. The decrypted telephone data (TEL) is also stored 
in secure memory 1152 to prevent observation by pi- 
rates. The telephone data (TEL) may provide authoriza- 
tion information to decoder 1106 as to whether decoder 
1106 is presently authorized to decrypt some or all of 
the received scrambled programs. In addition, other in- 
formation may be transferred between the decoder and 
the head end as discussed in connection with Figure 9. 
[0089] If authorization is present, secure microproc- 
essor 1150 uses the first secret serial number SSN 0 
stored in secure memory 11 52 to decrypt the key KOM 0 . 
As in Figure 10, the secure microprocessor 1150 then 
outputs program control information DCI 0 1156 to the 
remainder of decoder 1106 in order to descramble the 
program signal. 



Claims 

1. A decoder comprising a fixed security element 
(719), the fixed security element including a proc- 
essor (71 3) to process a once-encrypted key (1061 ) 
based on a key (SSN 0 ) to generate a working key 
(KOM1) and to process scrambled program data 
(1062) based on the working key to generate de- 
coder control information (1058) useable for de- 
scrambling scrambled signals, the decoder further 
comprising a replaceable security module remova- 
bly attachable to the decoder, the replaceable se- 
curity module including a processor to process a 
twice-encrypted key based on a second key (SSN 1 ) 
to generate a partially-decrypted key, the processor 
of the fixed security element processing the partial- 
ly-decrypted key as the once-encrypted key so that 
the working key is recovered from the twice-en- 
crypted key. 

2. A decoder according to claim 1 , wherein the proc- 
essor of the fixed security element comprises a se- 
cure processor with an internal memory to store the 
working key and configured so that the working key 
is unobservable. 

3. A decoder according to claim 1 or claim 2, wherein 
the processor of the fixed security element compris- 
es a secure processor with an internal memory to 
store the first key (SSN 0 ) and configured so that the 
first key is unobservable. 

4. A decoder according to claim 1 , 2 or 3, wherein the 
processor of the fixed security element is config- 
ured to generate successive decoder control infor- 
mation from successively processed scrambled 



10. A decoder according to claim 7, 8 or 9, wherein the 
processor of the replaceable security module is 
configured to generate successive decoder control 
information from successively processed scram- 
bled program data while the working key remains 
unchanged. 

11. A decoder according to any of claims 7 to 1 0, where- 
in the processor of the fixed security element corn- 



program data while the working key remains un- 
changed. 

5. A decoder according to any of claims 1 to 4, wherein 
5 the processor of the replaceable security module 
comprises a secure processor with an internal 
memory to store the second key (SSN.,) and con- 
figured so that the second key is unobservable. 

10 6. A decoder according to any of claims 1 to 5, wherein 
the decoder is a first decoder of a cable system, the 
cable system including at least one other decoder, 
each decoder of said at least one other decoder in- 
cluding an associated fixed security element, the re- 

15 placeable security module of the first decoder being 
incapable 6f generating a once-encrypted key that 
can be processed by the fixed security element of 
any decoder of said at least one other decoder to 
generate the working key. 

20 

7. A decoder comprising a replaceable security mod- 
ule (1014), the replaceable security module includ- 
ing a processor (1051 ) to process a once-encrypted 
key (1061 ) based on a first key (SSN 0 ) to generate 

25 a working key (KOM1) and to process scrambled 
program data (1062) based on the working key to 
generate decoder control information (1058) usea- 
ble for descrambling scrambled signals, the decod- 
er further comprising a fixed security element, the 

30 fixed security element including a processor to 
process a twice-encrypted key based on a second 
key (SSN^ to generate a partially-decrypted key, 
the processor of the replaceable security module 
processing the partially-decrypted key as the once- 

35 encrypted key so that the working key is recovered 
from the twice-encrypted key. 

8. A decoder according to claim 7, wherein the proc- 
essor of the replaceable security module comprises 

40 a secure processor with an internal memory to store 
the working key and configured so that the working 
key is unobservable. 

9. A decoder according to claim 7 or 8, wherein the 
45 processor of the replaceable security module com- 
prises a secure processor with an internal memory 
to store the first key (SSN 0 ) and configured so that 
the first key is unobservable. 

so 
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prises a secure processor with an internal memory 
to store the second key (SSN-,) and configured so 
that the second key is unobservable. 

1 2. A decoder according to any of claims 7 to 1 1 , where- s 
in the decoder is a first decoder of a cable system, 
the cable system including at least one other decod- 
er, each decoder of said at 'least one other decoder 
including an associated replaceable security mod- 
ule, the fixed security element of the first decoder io 
being incapable of generating a once-encrypted 
key that can be processed by the replaceable se- 
curity module of any decoder of said at least one 
decoder to generate the working key. 

t 15 

13. A decoding method in a decoder comprising steps 
of: 

processing a twice-encrypted key in a proces- 
sor of a removably attachable replaceable se- 20 
curity module based on a first key (SSN^ to 
generate a partially-decrypted key; 
processing of the partially-decrypted key in a 
processor of a fixed security element as a once- 
encrypted key (1061) based on a second key 25 
(SSN 0 ) to generate a working key (KOM1 ); and 
processing scrambled program data (1062) 
based on the working key to generate decoder 
control information (1058) useable for de- 
scrambling scrambled signals. 30 

14. The decoding method of claim 13, further compris- 
ing a step of storing the working key in an internal 
memory of the processor of the fixed security ele- 
ment so that the working key is unobservable. 35 

15. The decoding method of claim 13 or claim 14, fur- 
ther comprising a step of storing the second key 
(SSN 0 ) in an internal memory of the processor of 

the fixed security element so that the second key is *o 
unobservable. 

1 6. The decoding method of any of claims 1 3 to 1 5, fur- 
ther comprising a step of storing the first key (SSN-, ) 

in an internal memory of the processor of the re- 45 
placeable security module so that the first key is un- 
observable. 

17. The decoding method of any of claims 13 to 16, fur- 
ther comprising a step of storing the second key so 
(SSN 0 ) in an internal memory of the processor of 

the fixed security element so that the second key is 
unobservable. 

18. The decoding method of any of claims 13 to 17, ss 
wherein: 

the fixed security element is a first fixed security 
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element of a cable system, the cable system 
including at least one other fixed security ete- 
ment; and 

the step of processing a twice-encrypted key 
generates the partially -decrypted key so that 
the partially-decrypted key cannot be proc- 
essed as the once-encrypted key by any fixed 
security element of the at least one other fixed 
security element to generate the working key. 

19. A decoding method in a decoder comprising steps 
of: 

processing a twice-encrypted key in a proces- 
sor of a fixed security element based on a first 
key (SSNt) to generate a partially-decrypted 
key; 

processing the partially-decrypted key in a 
processor of a removably attachable replacea- 
ble security module as a once-encrypted key 
(1061) based on a second key (SSN 0 ) to gen- 
erate a working key (KOM1); and 
processing scrambled program data (1062) 
based on the working key to generate decoder 
control information (1058) useable for de- 
scrambling scrambled signals. 

t 

20. The decoding method of claim 19, further compris- 
ing a step of storing the working key in an internal 
memory of the processor of the replaceable security 
module so that the working key is unobservable. 

21. The decoding method of claim 19 or claim 20, fur- 
ther comprising a step of storing the second key 
(SSN 0 ) in an internal memory of the processor of 
the replaceable security module so that the second 
key is unobservable. 

22. The decoding method of any of claims 1 9 to 21 , fur- 
ther comprising a step of storing the first key (SSN^ ) 
in an internal memory of the processor of the fixed 
security element so that the first key is unobserva- 
ble. 

23. The decoding method of any of claims 1 9 to 22, fur- 
ther comprising a step of storing the second key 
(SSN 0 ) in an internal memory of the processor of 
the replaceable security module so that the second 
key is unobservable. 

24. The decoding method of any of claims 1 9 to 23, 
wherein: 

the replaceable security module is a first re- 
placeable security module of a cable system, 
the cable system including at least one other 
replaceable security module; and 
the step of processing the twice-encrypted key 
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generates the partially-decrypted key so that 
the partially-decrypted key cannot.be proc- 
essed as the once-encrypted key by any re- 
placeable security module of the at least one 
other replaceable security module to generate 5 
the working key. 

25. The decoding method of any of claims 1 3 to 24, fur- 
ther comprising a step of repeating the step of 
processing scrambled program data to generate io 
successive decoder control information from suc- 
cessively processed scrambled program data while 
the working key remains unchanged. 

PatentansprOche 

1. Ein Decodierer mit 

einem festen Sicherheitselement (719), wobei 20 
das teste Sicherheitselement einen Prozessor 
(713) aufweist, um einen einfach chiffrierten 
Codeschlussel (1061) auf der Grundlage eines 
Codeschlussels (SSN 0 ) zu verarbeiten, um ei- 
nen Arbeits-Codeschlussel (KOM1) zu erzeu- 25 
gen und verschlusselte Programmdaten (1062) 
auf der Grundlage des Arbeits-Codeschlussels 
zu verarbeiten, um Decodierer-Kontrollinfor- 
mationen (1058), die zum Entschlusseln von 
verschlusselten Signalen verwendet werden 30 
konnen, zu erzeugen, 

und einem austauschbaren Sicherheitsmodul, 
das abnehmbar am Decodierer angebracht ist, 
wobei das austauschbare Sicherheitsmodul ei- 
nen Prozessor aufweist, um einen zweifach 35 
chiffrierten Codeschlussel auf der Grundlage 
eines zweiten Codeschlussels (SSI^) zu ver- 
arbeiten, um einen teildechiffrierten Code- 
schlussel zu erzeugen, wobei der Prozessor 
des festen Sicherheitselements den teildechif- *o 
frierten Codeschlussel als einfach chiffrierten 
Codeschlussel verarbeitet, sodass der Arbeits- 
Codeschlussel aus dem zweifach chiffrierten 
Codeschlussel regeneriert wird. 

45 

2. Decodierer nach Anspruch 1, dadurch gekenn- 
zeichnet, dass der Prozessor des festen Sicher- 
heitselements einen sicheren Prozessor mit einem 
internen Speicher zum Speichern des Arbeits-Co- 
deschlussels aufweist und so gestaltet ist, dass der so 
Arbeits-Codeschlussel nicht beobachtet werden 
kann. 

3. Decodierer nach Anspruch 1 Oder 2, dadurch ge- 
kennzeichnet, dass der Prozessor des festen Si- 55 
cherheitselements einen sicheren Prozessor mit ei- 
nem internen Speicher zum Speichern des ersten 
Codeschlussels (SSN 0 ) aufweist und so gestaltet 



ist, dass der erste Codeschlussel nicht beobachtet 
werden kann. 

4. Decodierer nach Anspruch 1 , 2 oder 3, dadurch ge- 
kennzeichnet, dass der Prozessor des festen Si- 
cherheitselements so gestaltet ist, dass er aufein- 
ander folgende Decodierer-Kontrollinformationen 
aus fortlaufend verarbeiteten verschlusselten Pro- 
grammdaten erzeugt, wan rend der Arbeits-Code- 
schlussel unverandert bleibt. 

5. Decodierer nach einem der Anspruche 1 bis 4, da- 
durch gekennzeichnet, dass der Prozessor des 
austauschbaren Sicherheitsmoduls einen sicheren 
Prozessor mit einem internen Speicher zum Spei- 
chern des zweiten Codeschlussels (SSf^ ) aufweist 
und so gestaltet ist, dass der zweite Codeschlussel 
nicht beobachtet werden kann. 

6. Decodierer nach einem der Anspruche 1 bis 5, da- 
durch gekennzeichnet, dass der Decodierer ein er- 
ster Decodierer eines Kabelnetzes ist, wobei das 
Kabelnetz mindestens einen weiteren Decodierer 
aufweist, wobei jeder Decodierer von dem minde- 
stens einen weiteren Decodierer ein zugehoriges 
festes Sicherheitselement aufweist, wobei das aus- 
tauschbare Sicherheitsmodul des ersten Decodie- 
rers keinen einfach chiffrierten Codeschlussel er- 
zeugen kann, der vom festen Sicherheitselement 
eines Decodierers von dem mindestens einen wei- 
teren Decodierer verarbeitet werden kann, um den 
Arbeits-Codeschlussel zu erzeugen. 

7. Ein Decodierer mit 

einem austauschbaren Sicherheitsmodul 
(1014), wobei das austauschbare Sicherheits- 
modul einen Prozessor (1051) aufweist, um ei- 
nen einfach chiffrierten Codeschlussel (1061) 
auf der Grundlage eines ersten Codeschlus- 
sels (SSN 0 ) zu verarbeiten, um einen Arbeits- 
Codeschlussel (KOM1) zu erzeugen und ver- 
schlusselte Programmdaten (1062) auf der 
Grundlage des Arbeits-Codeschlussels zu ver- 
arbeiten, um Decodierer-Kontrollinformationen 
(1058), die zum Entschlusseln von verschlus- 
selten Signalen verwendet werden konnen, zu 
erzeugen, 

und einem festen Sicherheitselement, wobei 
das teste Sicherheitselement einen Prozessor 
aufweist, um einen zweifach chiffrierten Code- 
schlussel auf der Grundlage eines zweiten Co- 
deschlussels (SSN^ zu verarbeiten, um einen 
teildechiffrierten Codeschlussel zu erzeugen, 
wobei der Prozessor des austauschbaren Si- 
cherheitsmoduls den teildechiffrierten Code- 
schlussel als einfach chiffrierten Codeschlus- 
sel verarbeitet, sodass der Arbetts-Code- 
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schlussel aus dem zweifach chiffrierten Code- 
schlussel regeneriert wird. 

8. Decodierer nach Anspruch 7, dadurch gekenn- 
zeichnet, dass der Prozessor des austauschbaren s 
Sicherheitsmoduls einen sicheren Prozessor mit ei- 
nem internen Speicher zum Speichern des Arbeits- 
Codeschlussels aufweist und so gestaltet ist, dass 
der Arbeits-Codeschlussel nicht beobachtet wer- 
den kann. 10 

9. Decodierer nach Anspruch 7 Oder 8, dadurch ge- 
kennzeichnet, dass der Prozessor des austausch- 
baren Sicherheitsmoduls einen sicheren Prozessor 

mit einem internen Speicher zum Speichern des er- is 
sten Codeschlussels (SSN 0 ) aufweist und so ge- 
staltet ist, dass der erste Codeschlussel nicht be- 
obachtet werden kann. 

10. Decodierer nach Anspruch 7, 8 Oder 9, dadurch ge- 20 
kennzeichnet, dass der Prozessor des austausch- 
baren Sicherheitsmoduls so gestaltet ist, dass er 
aufeinander folgende Decodierer-Kontrollinforma- 
tionen aus fortlaufend verarbeiteten verschlussel- 

ten Programmdaten erzeugt, wahrend der Arbeits- 2s 
Codeschlussel unverandert bleibt. 

1 1 . Decodierer nach einem der Anspruche 7 bis 1 0, da- 
durch gekennzeichnet, dass der Prozessor des fe- 
sten Sicherheitselements einen sicheren Prozes- 30 
sor mit einem internen Speicher zum Speichern des 
zweiten Codeschlussels (SSN.,) aufweist und so 
gestaltet ist, dass der zweite Codeschlussel nicht 
beobachtet werden kann. 

35 

1 2. Decodierer nach einem der Anspruche 7 bis 1 1 , da- 
durch gekennzeichnet, dass der Decodierer ein er- 
ster Decodierer eines Kabelnetzes ist, wobei das 
Kabelnetz mindestens einen weiteren Decodierer 
aufweist, wobei jeder Decodierer von dem minde- *o 
stens einen weiteren Decodierer ein zugehoriges 
austauschbares Sicherheitsmodul aufweist, wobei 
das teste Sicherheitselement des ersten Decodie- 
rers keinen einfach chiffrierten Codeschlussel er- 
zeugen kann, der vom austauschbaren Sicherheits- 
modul eines Decodierers von dem mindestens ei- 
nen weiteren Decodierer verarbeitet werden kann, 

urn den Arbeits-Codeschlussel zu erzeugen. 

13. Ein Decodierungsverfahren in einem Decodierer so 
mit den Schritten 

Verarbeiten eines zweifach chiffrierten Code- 
schlussels in einem Prozessor eines aus- 
tauschbaren Sicherheitsmoduls, das abnehm- ss 
bar angebracht werden kann, auf der Grundla- 
ge eines ersten Codeschlussels (SSN^, urn ei- 
nen teildechiffrierten CodeschlOssel zu erzeu- 
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gen; 

Verarbeiten des teildechiffrierten Codeschlus- 
sels in einem Prozessor eines festen Sicher- 
heitselements als einfach chiffrierter Code- 
schlussel (1 061 ) auf der Grundlage eines zwei- 
ten CodeschlOssels (SSN 0 ), um einen Arbeits- 
Codeschlussel (KOM1) zu erzeugen; und 
Verarbeiten von verschlusselten Programmda- 
ten (1062) auf der Grundlage des Arbeits-Co- 
deschlussels, um Decodierer-Kontrollinforma- 
tionen (1058) zu erzeugen, die zum Entschlus- 
seln von verschlusselten Signalen verwendet 
werden konnen. 

14. Decodierungsverfahren nach Anspruch 13, das au- 
Berdem einen Schritt des Speicherns des Arbeits- 
Codeschlussels in einem internen Speicher des 
Prozessors des festen Sicherheitselements auf- 
weist, sodass der Arbeits-Codeschlussel nicht be- 
obachtet werden kann. 

1 5. Decodierungsverfahren nach Anspruch 1 3 oder 1 4, 
das auGerdem einen Schritt des Speicherns des 
zweiten Codeschlussels (SSN.,) in einem internen 
Speicher des Prozessors des festen Sicherheits- 
elements aufweist, sodass der zweite Codeschlus- 
sel nicht beobachtet werden kann. 

1 6. Decodierungsverfahren nach einem der AnsprOche 
13 bis 15, das auGerdem einen Schritt des Spei- 
cherns des ersten CodeschlOssels (SSN.,) in einem 
internen Speicher des Prozessors des austausch- 
baren Sicherheitsmoduls aufweist, sodass der er- 
ste Codeschlussel nicht beobachtet werden kann. 

1 7. Decodierungsverfahren nach einem der Anspruche 
13 bis 16, das auOerdem einen Schritt des iSpei- 
cherns des zweiten Codeschlussels (SSN-,) in ei- 
nem internen Speicher des Prozessors des festen 
Sicherheitselements aufweist, sodass der zweite 
Codeschlussel nicht beobachtet werden kann. 

1 8. Decodierungsverfahren nach einem der Anspruche 
13 bis 17, dadurch gekennzeichnet, dass 

das teste Sicherheitselement ein erstes testes 
Sicherheitselement eines Kabelnetzes ist, wo- 
bei das Kabelnetz mindestens ein weiteres te- 
stes Sicherheitselement aufweist, und 
der Schritt des Verarbeitens eines zweifach 
chiffrierten Codeschlussels den teildechiffrier- 
ten Codeschlussel erzeugt, sodass der teilde- 
chiffrierte Codeschlussel von keinem festen Si- 
cherheitselement des mindestens einen weite- 
ren festen Sicherheitselements als einfach chif- 
frierter Codeschlussel verarbeitet werden 
kann, um den Arbeits-Codeschlussel zu erzeu- 
gen. 
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19. Ein Decodierungsverfahren in einem Decodierer 
mit den Schritten 

Verarbeiten eines zweifach chiffrierten Code- 
schlussels in einem Prozessor eines festen Si- 5 
cherheitselements auf der Grundiage eines er- 
sten Codeschlussels (SSN 1 ), um einen teilde- 
chiffrierten Codeschlussel zu erzeugen; 
Verarbeiten des teildechiffrierten Codeschlus- 
sels in einem Prozessor eines austauschbaren io 
Sicherheitsmoduls, das abanehmbar ange- 
bracht werden kann, als einfach ch iff rierter Co- 
deschlussel (1061) auf der Grundiage eines 
zweiten Codeschlussels (SSN-,), um einen Ar- 
beits-Codeschlussel (KOM1 ) zu erzeugen; und is 
Verarbeiten von verschlusselten Programmda- 
ten (1062) auf der Grundiage des Arbeits-Co- 
deschlussels, um Decodierer-Kontrollinforma- 
tionen (1058) zu erzeugen, die zum Entschlus- 
seln von verschlusselten Signal en verwendet 20 
werden konnen. 

20. Decodierungsverfahren nach Anspruch 1 9, das au- 
Berdem einen Schritt des Speicherns des Arbeits- 
Codeschlussels in einem internen Speicher des 25 
Prozessors des austauschbaren Sicherheitsmo- 
duls aufweist, sodass der Arbeits-Codeschlussel 
nicht beobachtet werden kann. 

21 . Decodierungsverfahren nach Anspruch 1 9 Oder 20, 30 
das auBerdem einen Schritt des Speicherns des 
zweiten Codeschlussels (SSIS^) in einem internen 
Speicher des Prozessors des austauschbaren Si- 
cherheitsmoduls aufweist, sodass der zweite Code- 
schlussel nicht beobachtet werden kann. 35 

22. Decodierungsverfahren nach einem der Anspruche 
19 bis 21, das auBerdem einen Schritt des Spei- 
cherns des ersten Codeschlussels (SSN^ in einem 
internen Speicher des Prozessors des festen Si- 40 
cherheitselements aufweist, sodass der erste Co- 
deschlussel nicht beobachtet werden kann. 

23. Decodierungsverfahren nach einem der Anspruche 

19 bis 22, das auBerdem einen Schritt des Spei- 45 
cherns des zweiten Codeschlussels (SSNt) in ei- 
nem internen Speicher des Prozessors des aus- 
tauschbaren Sicherheitsmoduls aufweist, sodass 
der zweite Codeschlussel nicht beobachtet werden 
kann. so 

24. Decodierungsverfahren nach einem der Anspruche 
19 bis 23, dadurch gekennzeichnet, dass 

das austauschbare Sicherheitsmodul ein er- ss 
stes austauschbares Sicherheitsmodul eines 
Kabelnetzes ist, wobei das Kabelnetz minde- 
stens ein weiteres austauschbares Sicher- 
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heitsmodul aufweist, und 
der Schritt des Verarbeitens eines zweifach 
chiffrierten Codeschlussels den teildechiffrier- 
ten Codeschlussel erzeugt, sodass der teilde- 
chiffrierte Codeschlussel von keinem aus- 
tauschbaren Sicherheitsmodul des mindestens 
einen weiteren austauschbaren Sicherheits- 
moduls als einfach chiff rierter Codeschlussel 
verarbeitet werden kann, um den Arbeits-Co- 
deschlussel zu erzeugen. 

25. Decodierungsverfahren nach einem der Anspruche 
13 bis 24, das auBerdem einen Schritt des Wieder- 
holens des Schritts des Verarbeitens von ver- 
schlusselten Programmdaten aufweist, um aufein- 
ander folgende Decodierer-Kontrollinformationen 
aus fortlaufend verarbeiteten verschlusselten Pro- 
grammdaten zu erzeugen, wan rend der Arbeits-Co- 
deschlussel unverandert bleibt. 



Revendications 

1. Decodeur comprenant un element de securite fixe 
(71 9), I'element de securite fixe comprenant un pro- 
cesses (713) pour traiter une cle cryptee une pre- 
miere fois (1 061 ) sur la base d'une cle (SSN 0 ) pour 
generer une cle de travail (KOM1) et pour traiter des 
donnees de programme brouille (1062) sur la base 
de la cle de travail afin de gene>er des informations 
de commande de decodeur (1058) utilisables pour 
desembrouiller des signaux brouilles, le decodeur 
comprenant en outre un module de securite rem- 
placable pouvant etre f ixe de facon amovible au de- 
codeur, le module de securite remplacable compre- 
nant un processeur pour traiter une cle cryptee 
deux fois sur la base d'une seconde cle (SSN^ ) afin 
de generer une cle partiellement decryptee, le pro- 
cesseur de I'element de securite fixe traitant la cle 
partiellement decryptee en tant que cle cryptee une 
premiere fois de sorte que la cle de travail est recu- 
peree a partir de la cle cryptee deux fois. 

2. Decodeur selon la revendication 1 , dans lequel le 
processeur de I'element de securite fixe comprend 
un processeur securise avec une memoire interne 
afin de m6moriser la c!6 de travail et configure de 
telle sorte que la cle de travail ne puisse pas etre 
observee. 

3. Decodeur selon la revendication 1 ou la revendica- 
tion 2, dans lequel le processeur de I'element de 
securite fixe comprend un processeur securise 
avec un memoire interne, afin de m6moriser la pre- 
miere cle (SSN 0 ) et configure de maniere a ce que 
la premiere cle ne puisse pas etre observee. 

4. Decodeur selon la revendication 1 , 2 ou 3, dans le- 
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quel le processeur de I'6l6ment de securite fixe est 
configure pour generer les informations de com- 
mando de decodeur successives a partir de don- 
nees de programme brouille trait6es de facon suc- 
cessive alors que la cle de travail reste inchangee. s 

5. D6codeur selon I'une quelconque des revendica- 
tions 1 a 4, dans lequel le processeur du module de 
security remplacable comprend un processeur se- 
curise avec une memoire interne, afin de memori- to 
ser la seconde cie (SSN^ et configure de maniere 

a ce que la seconde c!6 ne puisse" pas etre obser- 
vee. 

6. Decodeur selon Tune quelconque des revendica- is 
tions 1 a 5, dans lequel le decodeur est un premier 
decodeur d'un systeme a cable, le systeme a cable 
comprenant au moins un autre decodeur, chaque 
decodeur dudit au moins un autre decodeur com- 
prenant un element de s6curit6 fixe associe, le mo- 20 
dule de security remplacable du premier decodeur 
etant incapable de g6n6rer une cie cryptee une pre- 
miere fois qui puisse etre traitee par I'eiement de 
security fixe d'un decodeur quelconque dudit au 
moins un autre decodeur en vue de generer la cle 25 
de travail. 

7. D6codeur comprenant un module de s6curit6 rem- 
placable (1 01 4), le module de security remplacable 
comprenant un processeur (1051 ) destine a traiter so 
une cl6 cryptee une premiere fois (1061) sur la base 
d'une premiere cle (SSN 0 ) afin de g6n6rer une c!6 

de travail (KOM1 ) et de traiter des donn6es de pro- 
gramme brouiliees (1062) sur la base de la cie de 
travail afin de generer des informations de com- 35 
mande de decodeur (1058) utilisables pour desem- 
brouiller les signaux brouilles, le decodeur compre- 
nant en outre un element de securite fixe, I'eiement 
de securite fixe comprenant un processeur pour 
traiter une cie cryptee deux fois sur la base d'une *o 
seconde cie (SSN 1 ), afin de g6n6rer une cie partiel- 
lement decryptee, le processeur du module de se- 
curite remplacable traitant la cie partiellement de- 
cryptee en tant que cl6 cryptee une premiere fois 
de facon a ce que la cle de travail soit r^cuperee a 4 $ 
partir de la cle cryptee deux fois. 

8. D6codeur selon la revendication 7, dans lequel le 
processeur du module de securite remplacable 
comprend un processeur securise avec une me- so 
moire interne, afin de memoriser la cle de travail et 

. configure de maniere a ce que la cle de travail ne 
puisse pas etre observ6e. 

9. D6codeur selon la revendication 7 ou 8, dans lequel 55 
le processeur du module de securite remplacable 
comprend un processeur s6curis6 avec une m6- 
moire interne afin de memoriser la premiere cie 
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(SSN 0 ) et configure de maniere a ce que la premie- 
re cl6 ne puisse pas etre observed. 

10. Decodeur selon la revendication 7, 8 ou 9, dans le- 
quel le processeur du module de securite rempla- 
cable est conf igur6 de facon a generer des informa- 
tions de commande de decodeur successives a 
partir de donnees de programme brouiliees traitees 
success ivement alors que la cle de travail reste in- 
changee. 

11. Decodeur selon I'une quelconque des revendica- 
tions 7 a 1 0, dans lequel le processeur de I'eiement 
de s6curit6 fixe comprend un processeur securise 
avec une memoire interne, afin de memoriser la se- 
conde cle (SSN-,) et configurd de maniere a ce que 
la seconde cie ne puisse pas dtre observ6e. 

12. D6codeur seton I'une quelconque des revendica- 
tions 7 a 1 1 , dans lequel le decodeur est un premier 
decodeur d'un systeme a cable, le systeme a cable 
comprenant au moins un autre decodeur, chaque 
decodeur dudit au moins un autre decodeur com- 
prenant un module de securite remplacable asso- 
cie, I'eiement de securite fixe du premier decodeur 
6tant incapable de g6n6rer une cie cryptee une pre- 
miere fois, qui puisse etre traitee par le module de 
s6curit6 remplagable d'un d6codeur quelconque 
dudit au moins un decodeur afin de generer la cie 
de travail. 

1 3. Precede de decodage dans un decodeur, compre- 
nant les etapes consistant a : 

traiter une cle cryptee deux fois dans un pro- 
cesseur d'un module de securite remplacable 
pouvant etre fixe de facon amovible sur la base 
d'une premiere cie (SSN^ afin de g6n6rer une 
cie partiellement decryptee, 
traiter la cle partiellement decryptee dans un 
processeur d'un element de securite fixe en 
tant que cie cryptee une premiere fois (1061) 
sur la base d'une seconde cie (SSN 0 ) afin de 
generer une c!6 de travail (KOM1), et 
traiter des donnees de programme brouiliees 
(1062) sur la base de la cl6 de travail afin de 
generer des informations de commande de de- 
codeur (1058) utilisables pour desembrouiller 
des signaux brouilles. 

14. Procede de decodage selon la revendication 13, 
comprenant en outre une etape consistant a memo- 
riser la cl6 de travail dans une memoire interne du 
processeur de ('element de securite fixe de maniere 
a ce que la cie de travail ne puisse pas etre obser- 
v6e. 

15. Proc6d6 de decodage selon la revendication 1 3ou 
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la revendication 14, comprenant en outre une 6tape 
consistant a memoriser la seconde cle (SSN 0 ) dans 
une nrtemoire interne du processeurde I'6l6ment de 
securite fixe de maniere a ce que la seconde cl6 ne 
puisse pas etre observed. 

16. Procede de decodage selon Tune quelconque des 
revendications 13a 15, comprenant en outre une 
etape consistant a memoriser la premiere cle 
(SSNj) dans une memoire interne du processeur 
du module de s6curite remplacable de maniere a 
ce que la premiere cle ne puisse pas etre observee. 

17. Proced6 de decodage selon Tune quelconque des 
revendications 13 a 16, comprenant en outre une 
etape consistant a memoriser la seconde cle 
(SSN 0 ) dans une memoire interne du processeur 
de r6l£ment de securite" fixe de maniere a ce que 
la seconde cle ne puisse pas etre observee. 

18. Procede de decodage selon Tune quelconque des 
revendications 13 a 17, dans lequel : 

I'element de securite fixe est un premier 6I6- 
ment de securite fixe d'un systeme a cable, le 
systeme a cable comprenant au moins un autre 
Element de securite fixe, et 
I'etape de traitement d'une cle cryptee deux fois 
genere la cie partiellement decryptee de ma- 
niere a ce que la cie partiellement decrypted ne 
puisse pas etre traitee en tant que cle cryptee 
une premiere fois par tout element de securite 
fixe quelconque du au moins un autre element 
de security fixe en vue de gen6rer la cie de tra- 
vail. 

19. Procede de decodage dans un decodeur compre- 
nant les etapes consistant a : 

traiter une cie cryptee deux fois d'un proces- 
seur d'un element de securite fixe sur la base 
d'une premiere cie (SSN-|) afin de generer une 
cl6 partiellement decryptee, 
traiter la cl6 partiellement decrypted dans un 
processeur d'un module de securite remplaca- 
ble pouvant etre fixe de facon amovible en tant 
que cle cryptee une premiere fois (1061) sur la 
base d'une seconde cie (SSN 0 ) afin de g6n6rer 
une cle de travail (KOM1), et 
traiter des donnees de programme brouiilees 
(1062) sur la base de la cle de travail afin de 
generer des informations de commande de de- 
codeur (1058) utilisables pour le d6sem- 
brouillage des signaux brouilles. 

20. Procede de decodage selon la revendication 19, 
comprenant en outre une etape consistant a memo- 
riser la cle de travail dans une memoire interne du 
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processeur du module de securite remplacable de 
maniere a ce que la cle de travail ne puisse pas etre 
observee. 

21. Proc6d6 de decodage selon la revendication 19 ou 
la revendication 20, comprenant en outre une etape 
consistant a memoriser la seconde cle (SSN 0 ) dans 
une memoire interne du processeur du module de 
securite remplacable de maniere a ce que la secon- 
de cle ne puisse pas etre observee. 

22. Procede de decodage selon Tune quelconque des 
revendications 19 a 21, comprenant en outre une 
etape consistant a memoriser la premiere cle 
(SSN-,) dans une memoire interne du processeur 
de I'elemeht de securite fixe de maniere a ce que 
la premiere cle ne puisse pas 6tre observed. 

23. Precede de decodage selon Tune quelconque des 
revendications 19 a 22, comprenant en outre une 
etape consistant a memoriser la seconde cl6 
(SSN 0 ) dans une memoire interne du processeur 
du module de security remplacable de maniere a 
ce que la seconde cle ne puisse pas etre observee. 

24. Precede de decodage selon Tune quelconque des 
revendications 1 9 a 23, dans lequel : 

le module de securite remplacable est un pre- 
mier module de securite remplacable d'un sys- 
teme a cable, le systeme a cable comprenant 
au moins un autre module de securite rempla- 
cable, et 

I'etape de traitement de la cle cryptee deux fois 
genere la cle partiellement decryptee de ma- 
niere a ce que la cle partiellement decryptee ne 
puisse pas etre traitee en tant que cie cryptee 
une premiere fois par un module de securite 
remplacable quelconque du au moins un autre 
module de securite remplacable en vue de ge- 
nerer la c!6 de travail. 

25. Precede de decodage selon Tune quelconque des 
revendications 13 a 24, comprenant en outre une 
etape consistant a repeter I'etape de traitement des 
donnees de programme brouiilees afin de generer 
des informations de commande de d6codeur suc- 
cessives provenant de donnees de programme 
brouiilees traitees successivement alors que la cle 
de travail reste inchangee. 
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